server.storePassword = gitblit
# If serving over https (recommended) you might consider requiring clients to
-# authenticate with ssl certificates. If enabled, only https clients with the
-# a valid client certificate will be able to access Gitblit.
+# authenticate with TLS certificates.
#
-# If disabled, optional client certificate authentication is configurable by
-# server.wantClientCertificates
+# Possible values are: 'required' (or 'true'), 'optional' (or 'false') and 'none'
+#
+# If required, only https clients with a valid client certificate will be able
+# to access Gitblit.
+#
+# If optional, client certificate authentication is optional and will be tried
+# first before falling-back to form authentication or basic authentication.
+#
+# If completely disabled ('none'), then the server will not ask the client to
+# present a client certificate at all.
#
# Requiring client certificates to access any of Gitblit may be too extreme,
# consider this carefully.
#
# SINCE 1.2.0
# RESTART REQUIRED
-server.requireClientCertificates = false
+server.requireClientCertificates = optional
# If enabled, client certificate authentication is optional and will be tried
# first before falling-back to form authentication or basic authentication.
}\r
}\r
\r
+ public enum TlsClientCertPolicy {\r
+ REQUIRED, TRUE, OPTIONAL, FALSE, DISABLED, NONE;\r
+\r
+ public static TlsClientCertPolicy fromString(String value) {\r
+ for (TlsClientCertPolicy t : values()) {\r
+ if (t.name().equalsIgnoreCase(value)) {\r
+ switch(t) {\r
+ case TRUE:\r
+ return REQUIRED;\r
+ case FALSE:\r
+ return OPTIONAL;\r
+ case NONE:\r
+ return DISABLED;\r
+ default:\r
+ return t;\r
+ }\r
+ }\r
+ }\r
+ return TlsClientCertPolicy.OPTIONAL;\r
+ }\r
+ }\r
+\r
/**\r
* The type of merge Gitblit will use when merging a ticket to the integration branch.\r
* <p>\r
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
+import com.gitblit.Constants.TlsClientCertPolicy;
import com.gitblit.authority.GitblitAuthority;
import com.gitblit.authority.NewCertificateConfig;
import com.gitblit.servlet.GitblitContext;
logger.info("Setting up HTTPS transport on port " + params.securePort);
GitblitSslContextFactory factory = new GitblitSslContextFactory(params.alias,
serverKeyStore, serverTrustStore, params.storePassword, caRevocationList);
- if (params.requireClientCertificates) {
+ TlsClientCertPolicy clientCertPolicy = TlsClientCertPolicy.fromString(params.requireClientCertificates);
+ if (clientCertPolicy == TlsClientCertPolicy.REQUIRED) {
factory.setNeedClientAuth(true);
+ } else if (clientCertPolicy == TlsClientCertPolicy.OPTIONAL) {
+ factory.setNeedClientAuth(false);
+ factory.setWantClientAuth(true);
} else {
- factory.setWantClientAuth((params.wantClientCertificates));
+ factory.setNeedClientAuth(false);
+ factory.setWantClientAuth(false);
}
ServerConnector connector = new ServerConnector(server, factory);
public Integer shutdownPort = FILESETTINGS.getInteger(Keys.server.shutdownPort, 8081);
@Option(name = "--requireClientCertificates", usage = "Require client X509 certificates for https connections.")
- public Boolean requireClientCertificates = FILESETTINGS.getBoolean(Keys.server.requireClientCertificates, false);
-
- @Option(name = "--wantClientCertificates", usage = "Ask for optional client X509 certificate for https connections. Ignored if client certificates are required.")
- public Boolean wantClientCertificates = FILESETTINGS.getBoolean(Keys.server.wantClientCertificates, false);
+ public String requireClientCertificates = FILESETTINGS.getString(Keys.server.requireClientCertificates, "optional");
/*
* Setting overrides
projects / gitblit.git / commitdiff